On Mon, 2009-08-03 at 10:20 +1000, Scott Radvan wrote:
Hi,
Working on the Postfix chapter in my SELinux managing confined services
book [0] and am having trouble with Postfix/spamassassin.
I have got email traversing back and forth just fine, but I am trying to
invoke a denial or a problem for which I can document the work-around.
spamassassin_can_network seems to be a good Boolean to explain, show
the denial and then show the work-around for.
This Boolean is off by default, which as far as I can tell would stop
spamassassin from launching as a daemon listening on the machine's
actual IP/interface.
But my problem is that it is launching without a problem and listening
on the machine's interface without error. I am assuming that it is
working fine because the spamassassin processes are only launching as
initrc_t, when it should be transitioning to something else..?
# ps -eZ | grep spamd
unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd
unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd
unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd
# ls -lZ /etc/init.d/spamassassin
-rwxr-xr-x.
rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin
(I tried labelling this differently to this default setting, to
spamd_initrc_exec_t, but to no avail.)
# getsebool -a | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
Basically I need to make sure spamassassin is starting normally so that
the Boolean mentioned will block access. So any help is appreciated,
should spamassassin as a daemon transition to something other than
initrc_t? And how do I get it to do so?
Or am I going down the wrong track to get this Boolean which is off by
default to do something which I can demonstrate and fix?
Thank you,
Not sure but probably a bug.
This is a application domain. i cannot find a init_daemon_domain
declaration, meaning initrc_t does not transition.
There is a spamassassin_role() in the interface file with a transition
defined for users however this interface is probably not called by the
user domains.
hth
So first see if you can get it to run in its domain by restoring the
locations mentioned under contexts. If that does